Created
January 27, 2012 16:18
-
-
Save dyba/1689568 to your computer and use it in GitHub Desktop.
Cisco ASA Firewall Rule Deletion Generator via RedSeal Device Cleanup Analysis Results
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# PURPOSE: | |
# The purpose of this script is to generate a list of commands to delete unused access rules from a | |
# Cisco PIX or ASA firewall. This script is appropriate if you use the RedSeal application: | |
# http://www.redsealnetworks.com. Currently the results are printed to the screen only. | |
# | |
# INSTRUCTIONS: | |
# When you want to clean up unused rules on a firewall. Use the RedSeal application to run a cleanup: | |
# Tools > Manage Device Cleanup (Alt+T, C). When finished, export the results as a CSV file. Don't | |
# forget to include the .CSV extension. Run this script and type the name of the file with the | |
# extension. You will get a list of commands that you can copy and paste into the firewall to delete | |
# unused rules on a Cisco ASA/PIX firewall | |
# | |
# DISCLAIMER: | |
# I do not guarantee that this script will work in its entirety. Please read the code to make sure it | |
# achieves what you have in mind. | |
# | |
# TODO: | |
# - Print results to a file | |
# X Print results with decreasing line numbers. A copy-and-paste approach to a PIX or ASA firewall | |
# requires that higher line numbers are entered first | |
# | |
puts "Type the name of the file with extension:" | |
filename = gets.chomp! | |
File.open(filename) do |f| | |
all_rules = [] | |
f.readlines.reject { |line| line.match(/\t0\t0/).nil? }.map do |line| | |
description = line.split("\t").first.strip | |
line_num = description.match(/\(config:(\d+)\)/)[1] | |
rule = description.gsub(/\(config:\d+\)\s/, '').gsub(/(?=permit|deny)/, "line #{line_num}\s") | |
negated_rule = rule.sub(/^/, 'no ') | |
all_rules << negated_rule | |
end | |
all_rules.reverse! | |
puts all_rules | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment